Ikigai LawIkigai LawIkigai LawIkigai Law
  • About Us
    • About
    • Our Team
    • FinTales
    • Tech Ticker
  • Practice Areas
  • Blog
  • News & Events
    • Ikigai Law in the news
    • Ikigai Law at events
    • Ikigailaw on the social media
  • Careers

Mapping comments to the Srikrishna Committee on data protection (Part I): Cross-border data flows

    Home Data Governance Mapping comments to the Srikrishna Committee on data protection (Part I): Cross-border data flows
    NextPrevious

    Mapping comments to the Srikrishna Committee on data protection (Part I): Cross-border data flows

    By Ikigai Law | Data Governance | 0 comment | 13 June, 2018 | 2

    This note maps the opinions of some stakeholders to the White Paper of the Committee of Experts on a Data Protection Framework for India, released on 27 November, 2017 (“White Paper”).

    While all responses to the White Paper are currently unavailable, responses of twenty-six (26) stakeholders are available on Dvara Research’s blog, here.

    Background:

    In July 2017, the Ministry of Electronics and Information Technology (MEITY) had constituted a Committee of Experts, chaired by Justice B.N. Srikrishna (“the Srikrishna Committee”) to frame recommendations for a data protection framework for India. In January, 2018, the Srikrishna Committee concluded a nation-wide stakeholders’ consultation on key issues of data protection. This consultation was based on two hundred and thirty (230) questions that it had raised in the White Paper. Final recommendations of the Srikrishna Committee are awaited.

    Among many other issues raised, the Srikrishna Committee had flagged the protection of cross-border data flows as an important issue in Chapter 8 of Part II of the White Paper. As we have stated earlier, while all stakeholder submissions to the Srikrishna Committee have not been made public, Dvara Research has published a list of twenty-six (26) publicly available comments. This note maps responses of these stakeholders on cross-border data flows.

    The White Paper raises the following four questions on cross border data flows:

    First, “What are your views on cross-border transfer of data?”;

    Second, “Should the data protection law have specific provisions facilitating cross border transfer of data? If yes, what should the adequacy standard be the threshold test for transfer of data?”,

    Third, “Should certain types of sensitive personal information be prohibited from being transferred outside India even if it fulfils the test for transfer?” and,

    Fourth, “Are there any other views on cross-border data transfer which have not been considered?”

    The following table projects the stances of the stakeholders on each of these issues.

     

    Stakeholders Cross-border transfer of data

     

    Whether law needs specific provisions facilitating cross-border transfer Adequacy standard as threshold test for transfer of data

     

    Prohibition on transfer of sensitive personal information, even if it fulfils the test for transfer Other views on cross-border data transfer
    Industry Associations –3*

     

    BSA, iSPIRT, and ITI

    BSA Acknowledge that proper mechanisms for cross-border data flows are essential for cyber-security. Law should explicitly recognize ability to transfer personal data outside India.

     

    Adequacy standard unlikely to add significantly to data protection; could hinder innovation and growth in India’s digital economy. Against bans on transfer of certain categories of data, including those based on the sensitivity of data.

     

     

    No clear response.
    iSPIRT Data protection authority should be able to proactively regulate cross-border transfers. A flexible adequacy framework should be developed. No clear response.

     

    For sensitive data transfer, user consent should be the overriding factor.

     

     

    No clear response.
    ITI Restrictions on cross-border data transfer create challenges for compliance and enforcement and distort global marketplace. No clear response. Adequacy model not recommended for India. No clear response. Model contractual clauses are low-burden way for organizations to comply with obligations to protect personal data during cross-border transfers.
    Civil society organisations – 9**

     

    Access Now; CCG; CIS; Centre for Trade and Investment Law; Harvard FXB Center;

    ORF; Professor Graham Greenleaf; SFLC; and Takshashila Institution.

     

    Access Now Acknowledges that proper mechanisms for cross border flow of data are essential.

    .

     

    An online portal with more information and a policy document on proposals to reform MLAT (Mutual Legal Assistance Treaty) system sent to the Committee.

     

    Pointed out that Article 45, GDPR (General Data Protection Regulation) does not itself provide for an adequacy test, only indicates adequacy as a mechanism for transfer. No clear response. No clear response.
    CCG India should avoid articulations of uncertain scope in claims for extra-territorial jurisdiction.

     

     

    Requirements such as mandatory data localization should be avoided in such restrictive practices.

     

     

    No clear response.

     

     

    No clear response. No clear response.
    CIS Recommends minimal restrictions with respect to cross-boundary transfer of data in India.

     

     

     

     

     

     

     

     

     

     

     

     

    Law should promote cross-boundary transfer by provisions that clarify issues relating to jurisdiction and liability that arises from such transfer.

     

     

     

     

     

     

     

     

     

     

     

    Adequacy standard can be expensive, time-consuming and restrictive process and is not helpful to determine where data can flow freely.

     

     

    Should be left on the individual to determine whether his sensitive personal data can be transferred for specific purpose.

     

     

    Important to clarify how new provision relating to cross-border transfer of data will affect existing legal obligations under MLATs.

     

    Centre for Trade and Investment Law GATS will have implications on restrictions on cross-border data flow. No clear response. No clear response.

     

    No clear response. Any contravention of the mutual responsibilities assigned, on India’s part as a WTO member can be met with opposition by any member state of the WTO.

     

    Harvard FXB Centre Cross-border transfer of data is necessary for health data.

     

     

    Adoption of adequacy test should be considered.

     

     

     

    Periodic review of adequacy or limits of exemptions needed to ensure that policy has the upper ground with respect to the changing technology and cultural acceptance.

     

    Data localisation is not necessarily safer alternative with regard to protection of sensitive data.

     

     

    No clear response.
    ORF  Data protection law must facilitate cross border sharing of data.

     

     

     

    India should not adopt an adequacy standard since data protection rules will take years to mature. No clear response. No clear response. New data protection regime must recognise the need for prioritising the ability of Indian firms to build services based on Indian data.

     

     

    Professor Graham Greenleaf Where it is proposed that delegated processing will take place outside India, all applicable rules concerning cross-border transfers must apply, as if the data was being transferred to a third party.

     

     

    Adequacy standard may be included. India’s DPA    should have    the ability to determine which countries meet adequacy

    criteria under Indian law. However, decision

    should be subject to         objective tests     which  can be tested in the courts, as is the case in EU.

     

     

    No clear response. No clear response.
    SFLC The law should leave no room for ambiguity regarding situations in which data transfer is or is not allowed to another country.

     

     

    Data Protection Authority can ban data transfers to known bad actors by creating two blacklists:

    1.     Countries that violate data safety principles.

    2.     Data controllers known to violate privacy obligations.

    While performing an adequacy test, Data Protection Authority should consider the following, in addition to requirements under Article 45, GDPR:

    ·       Safe storage practices;

    ·       Access to data by judicial process;

    ·       Existence of mass surveillance programs;

    ·       Applicability of the principle of accountability.

    .

    There should be no restrictions on cross-border transfer of sensitive personal data if it fulfils the test for transfer.

     

    No clear response.
    Takshashila Institution There should be strict rules that limit cross-border transfers.

     

     

    Organisational accountability can be achieved through use of codes of conduct, internal policies, procedures regarding handling of personal information, or contractual arrangements.

     

     

    Making adequacy test the threshold test for transfer of data may hinder free movement of data as Data Protection Authority may not have decided about level of data protection in all countries to which data might need to be transferred.

     

     

    Depending on the nature of the information, certain sensitive information may be required to be stored within the country.

     

     

    As an alternative, data protection framework may mandate the use of contractual provisions to ensure appropriate protection.

     

     

     

     

    *Industry Associations: ITI – Information Technology Industry Council, BSA – Business Software Alliance, iSPIRT – Indian Software Product Industry Round Table.

    **Civil Society Organisations: Access Now; CCG- Centre for Communication Governance, NLU Delhi; CIS- The Centre for Internet and Society; Centre for Trade and Investment Law – Dr. James J. Nedumpara and Mr. Sandeep Thomas Chandy, Centre for Trade and Investment Law, Ministry of Commerce; Harvard FXB Center – Harvard FXB Center for Health and Human Rights; ORF – Observer Research Foundation; Professor Graham Greenleaf; SLFC – Software Freedom Law Centre; and Takshashila Institution.

    INSIGHTS

    Adequacy as a threshold test for cross-border data transfers

    The White Paper identifies the adequacy test, articulated under Article 45 of the EU GDPR, as a useful mechanism for protecting transfers of personal data across borders. Simply put, the adequacy test requires that personal data only be transferred to those countries that are declared by the data protection authority as having an ‘adequate’ level of data protection. The Srikrishna Committee’s call for views on an adequacy standard for cross-border data transfers has generated the following responses, broadly:

    1. Adequacy standard should not be adopted by India (3 responses): BSA, ITI, ORF

    1.1 BSA does not consider the adequacy standard to be a significant addition to India’s data protection law.

    1.2 ITI and ORF have stated that the adequacy model is not recommended for India.

    2. Adequacy standard may be adopted by India (4 responses): iSPIRT, Harvard FXB Center, SFLC and Professor Graham Greenleaf

    2.1 As per iSPIRT, Harvard FXB Center and Professor Graham Greenleaf, India should consider adopting an adequacy standard.

    2.2 SLFC has suggested considering the following factors while performing the adequacy test, over and above the requirements under Article 45 of the EU GDPR:

    2.2.1 Safe storage practices;

    2.2.2 Access to data by judicial process;

    2.2.3 Existence of mass surveillance programs

    2.2.4 Applicability of the principle of accountability.

    3. No clear response (4 responses): CCG, Centre for Trade and Investment Law, CIS and Takshashila Institution

    3.1 CCG and the Centre for Trade and Investment Law did not have a clear stance on the subject of an adequacy standard for India’s data protection framework.

    3.2 CIS observed that the adequacy standard can be an expensive, time-consuming and restrictive process which does not help to determine where data can flow freely.

    3.3 Takshashila Institution expressed concern over the effects of the adequacy test on the free movement of data.

    Prohibition on transfer of sensitive personal information

    Chapter IV (Part II) of the White Paper deals with the subject of sensitive personal information, which includes data relating to health, genetics, biometrics, religious beliefs and sexual orientation. Due to the intimate nature of this data and the serious privacy interest involved, the White Paper suggests prescribing heightened protections for sensitive data. In this context, the White Paper sought stakeholders’ opinions on prohibiting the transfer of sensitive personal information to another country, even if it fulfilled the test for cross-border transfers. The Srikrishna Committee’s call for views on the prohibition on transfers of sensitive personal data has generated the following responses, broadly:

    1. In favour of prohibiting transfer of sensitive personal information (1 response): Takshashila Institution

    1.1 Takshashila Institution is of the opinion that certain sensitive information may be required to be stored within the country, depending on the nature of the information.

    2. Against ban on transfer of sensitive personal information (2 responses): BSA and SFLC

    2. 1BSA is against bans on transfer of sensitive personal information

    2.2 SFLC is of the view that there should be no restrictions on cross-border transfer of sensitive personal data if it fulfils the test for transfer.

    3. User consent required for transfer of sensitive personal information (2 responses): iSPIRT and CIS

    3.1 iSPIRT and CIS are of the opinion that it is the user’s prerogative to determine whether his or her sensitive personal data can be transferred.

    4. No clear response (7 responses): Harvard FXB Center, ITI, Access Now, CCG, Centre for Trade and Investment Law, ORF and Professor Graham Greenleaf

    4. 1 These stakeholders did not have a clear stance on the subject of prohibiting transfers of sensitive personal information.

     

    [This post is authored by Shreya Mohapatra, TRA intern and Tuhina Joshi, Associate with inputs from Nehaa Chaudhari, Public Policy Lead].

    Adequacy Standard, Cross Border, Data Protection, Data Subjects, Data Transfer, Government, Ikigai Law, Indian government, Personal Data, Privacy, Sensitive Data, Srikrishna Committee, Stakeholders, Tech Policy, White Paper

    Ikigai Law

    More posts by Ikigai Law

    Related Post

    • Mapping comments to the Srikrishna Committee on data protection (Part II): Data localisation

      By Ikigai Law | 0 comment

      This note maps the opinions of some stakeholders to the White Paper of the Committee of Experts on a Data Protection Framework for India, released on 27 November, 2017 (“White Paper”). While all responses toRead more

    • Stakeholders’ responses to the TRAI privacy consultation paper (Part XII of XII): Technological solutions to monitor compliance

      By Ikigai Law | 0 comment

      This is the twelfth post, in a twelve (12) part series of posts, to map the opinions of all the stakeholders on the basis of their responses to the consultation paper on Privacy, Security, andRead more

    • Stakeholders’ responses to the TRAI privacy consultation paper (Part XI of XII): Parity in the data protection norms between TSPs and other communication service providers

      By Ikigai Law | 0 comment

      This is the eleventh post, in a twelve (12) part series of posts, to map the opinions of all the stakeholders on the basis of their responses to the consultation paper on Privacy, Security, andRead more

    • Stakeholders’ responses to the TRAI privacy consultation paper (Part X of XII): Safety and security of telecommunications infrastructure and digital ecosystem

      By Ikigai Law | 0 comment

      This is the tenth post, in a twelve (12) part series of posts, to map the opinions of all the stakeholders on the basis of their responses to the consultation paper on Privacy, Security, andRead more

    • Stakeholders’ Responses to the TRAI Privacy Consultation Paper: Part IX of XII – Key Issues Pertaining to Encouraging the Creation of New Data Based Businesses

      By Ikigai Law | 0 comment

        This is the ninth post, in a twelve (12) part series of posts, to map the opinions of all the stakeholders on the basis of their responses to the consultation paper on Privacy, Security,Read more

    Leave a Comment

    Cancel reply

    Your email address will not be published. Required fields are marked *

    NextPrevious

    Tags

    #DataProtection #Fintales bitcoin Blockchain Budget Consent Consultation Consultation Paper cryptocurrency data Data Controllers data governance Data localisation Data Protection Data Subjects digital economy Digital India Drones E-Commerce Facebook Fintech Government Government of India healthtech Ikigai Law India Indian government Innovation intermediary liability MeITY Notice Personal Data policy Privacy RBI Recommendation Regulation Srikrishna Committee Stakeholders Startups Surveillance Technology Tech Policy TechTicker TRAI

    Connect with Ikigai Law

    Copyright 2018 Ikigai Law | All Rights Reserved             

    Information

    • Practice Areas
    • Blog
    • Careers
    • Contact Us
    • Privacy Policy

    Contact us

    Office
    T-7/402, Commonwealth Games Village Apartment,
    New Delhi, Delhi 110092 India.

    Email Address

    contact@ikigailaw.com

    • About Us
      • About
      • Our Team
      • FinTales
      • Tech Ticker
    • Practice Areas
    • Blog
    • News & Events
      • Ikigai Law in the news
      • Ikigai Law at events
      • Ikigailaw on the social media
    • Careers
    Ikigai Law